maemo.org - Talk

maemo.org - Talk (https://talk.maemo.org/index.php)
-   Nokia N900 (https://talk.maemo.org/forumdisplay.php?f=44)
-   -   N900 security without corporate support (https://talk.maemo.org/showthread.php?t=96031)

t-b 2015-10-10 08:00

N900 security without corporate support
 
Hopefully someone with more technical knowledge than me can provide some insight. How secure is an up-to-date N900 currently when you only use the standard applications and maybe occasionally the browsers in the repo?
The N900 hasn't received security updates for a long time now so I am wondering how safe we are and what we can do to protect ourselves.

I basically try to avoid browsing at all or browse for a short period of time and only to sites I trust.
I have easy debian installed, so for 'less trustworthy sites" I can always use a recent version of iceweasel. Easy debian makes use of a chroot so I assume that is intrinsically more secure than using standard maemo apps.
That is only browsing though.. other apps I should avoid or at least be aware of?

sicelo 2015-10-10 10:28

Re: N900 security without corporate support
 
it's old. what are your needs? it's much better you explain your requirements then you can be told if those are possible or not.

t-b 2015-10-10 13:31

Re: N900 security without corporate support
 
OK - not sure about my needs because they can change daily but it basically boils down to (next to just using it as a phone) this:

- Maemo platform with the latest (stable CSSU) - how secure is just enabling internet out of the box? What about security updates for libraries? Is
- Browsing (1) - how secure is the default browser or any of the alternatives in the repos
- Browsing (2) - how secure is using easy debian for browsing or other uses (I assume the most secure solution - but I might be totally wrong)

- Other not updated apps that use connections to the internet or bluetooth (e.g. Twitter app - Mail - Facebook - Telegram - emacs)
- I haven't tried it yet, but also interested in using something like modrana

I am just trying to understand what the security risks are - what can happen (worst case) - how to prevent, detect or fix security issues. After understanding the risks one can decide how to continue to use the phone.
I am not paranoid btw ;)

michaaa62 2015-10-10 17:58

Re: N900 security without corporate support
 
Just new today http://talk.maemo.org/showpost.php?p...postcount=2217
Including security update for libssl0.9.8

reinob 2015-10-10 18:52

Re: N900 security without corporate support
 
Quote:

Originally Posted by t-b (Post 1484986)
Hopefully someone with more technical knowledge than me can provide some insight. How secure is an up-to-date N900 currently when you only use the standard applications and maybe occasionally the browsers in the repo?
The N900 hasn't received security updates for a long time now so I am wondering how safe we are and what we can do to protect ourselves.

I basically try to avoid browsing at all or browse for a short period of time and only to sites I trust.
I have easy debian installed, so for 'less trustworthy sites" I can always use a recent version of iceweasel. Easy debian makes use of a chroot so I assume that is intrinsically more secure than using standard maemo apps.
That is only browsing though.. other apps I should avoid or at least be aware of?

At the risk of oversimplying the situation, using your N900 is, in terms of security risks, similar to using any other up-to-date linux. There are basically no Linux-based exploits in the wild. And N900/Maemo being not quite a "standard" Linux some things will be missing which imply that e.g. an exploit requiring bash will fail (because we have busybox), etc.

Note also that chroot has nothing to do with (real) security.

Obviously there are many -- known and unknown -- unpatched bugs and security holes, but for most practical purposes you're safe -- safer than with a modern Windows with an up-to-date antivirus anyway :)

Tsippaduida 2015-10-10 19:45

Re: N900 security without corporate support
 
I agree with reinob.

The usual reason for writing an exploit for a system is getting economic benefit somehow. N900 is so rare phone that attacker has hard time in getting major money by attacking it. Of course it is possible to hit a jackpot, but I think attacker has better change by attacking ios or android.

Naturally this does not exclude people who write nasty software just out of curiosity, but again, why would they choose nearly six years old system? Naturally generic web page exploits against browsers might hit us, but even them might grind to halt when the browser gives access to underlying system which is alien to the attacker.

t-b 2015-10-11 10:17

Re: N900 security without corporate support
 
It is awesome to see a phone as old as the N900 is still maintained and software improved. The CSSU team is doing an amazing job keeping the phone relevant.

Quote:

Originally Posted by reinob (Post 1485047)
Obviously there are many -- known and unknown -- unpatched bugs and security holes, but for most practical purposes you're safe -- safer than with a modern Windows with an up-to-date antivirus anyway :)

This is basically my main concern - there are tons of security holes being regularly patched in my Ubuntu and Debian PC. My N900 may not be the main target but there is still a risk. In some cases I just like the risk to be as low as possible - then I will probably use something like Easy Debian / DebiaN900. Thanks to alleviate at least some of my worries.


All times are GMT. The time now is 11:41.

vBulletin® Version 3.8.8